CVE-2019-13179

HIGH

Calamares < 3.2.10 - Insufficiently Protected Credentials

Title source: rule

Description

Calamares versions 3.1 through 3.2.10 copies a LUKS encryption keyfile from /crypto_keyfile.bin (mode 0600 owned by root) to /boot within a globally readable initramfs image with insecure permissions, which allows this originally protected file to be read by any user, thereby disclosing decryption keys for LUKS containers created with Full Disk Encryption.

References (8)

[Exploit, Issue Tracking, Third Party Advisory] https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835095

[Third Party Advisory] https://bugs.launchpad.net/ubuntu/+source/initramfs-tools/+bug/1835096

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=1726542

[Vendor Advisory] https://calamares.io/calamares-3.2.11-is-out/

[Vendor Advisory] https://calamares.io/calamares-cve-2019/

[Exploit, Issue Tracking, Third Party Advisory] https://github.com/calamares/calamares/issues/1191

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Q57BOTBA2J5U4GVKUP7N2PD5H7B3BVUU/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R2ZDQRGBGRVRW5LPJWKUNS3M66LZ3KYC/

Scores

CVSS v3 7.5

EPSS 0.0085

EPSS Percentile 74.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (1)

calamares/calamares < 3.2.10

Timeline

Published Jul 02, 2019

Tracked Since Feb 18, 2026